tickets #16476
closednews.opensuse.org seems hacked
Added by sflees@suse.de over 7 years ago. Updated about 7 years ago.
0%
Description
--
Simon Lees (Simotek) http://simotek.net
Emergency Update Team keybase.io/simotek
SUSE Linux Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Files
signature.asc (488 Bytes) signature.asc | sflees@suse.de, 2017-02-05 12:22 | ||
shot-2017-02-05_22-54-05.jpg (211 KB) shot-2017-02-05_22-54-05.jpg | sflees@suse.de, 2017-02-05 12:49 | ||
signature.asc (488 Bytes) signature.asc | sflees@suse.de, 2017-02-05 12:49 | ||
signature.asc (488 Bytes) signature.asc | sflees@suse.de, 2017-02-06 23:18 |
Updated by sflees@suse.de over 7 years ago
- File shot-2017-02-05_22-54-05.jpg shot-2017-02-05_22-54-05.jpg added
- File signature.asc signature.asc added
Has been changed again, here is a screenshot of what it was
On 02/05/2017 10:52 PM, admin@opensuse.org wrote:
[openSUSE Tracker]
Issue #16476 has been reported by sflees@suse.de.
tickets #16476: news.opensuse.org seems hacked
https://progress.opensuse.org/issues/16476
- Author: sflees@suse.de
- Status: New
- Priority: Normal
- Assignee:
- Category:
* Target version: ¶
--
Simon Lees (Simotek) http://simotek.net
Emergency Update Team keybase.io/simotek
SUSE Linux Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Updated by tampakrap over 7 years ago
- Assignee set to 160
ticket raised to MF-IT so that they will restore the content and update wordpress. Contacted my manager as well so we can get it urgent priority
Updated by cboltz over 7 years ago
Any news on this?
FYI, the page was hacked again :-(
Updated by cboltz over 7 years ago
BTW: In case the original articles are lost - I still have a backup of them in my feedreader (at least the newest ones)
Updated by cwickert over 7 years ago
I wonder if the page was really hacked or if they just have Doug's password. The article was published under his account. Anyway, Doug should change his PW ASAP, but unfortunately he is not at work today. I guess he's still asleep after the long ride back from FOSDEM and staying up all night to watch the Superbowl.
Updated by AdaLovelace over 7 years ago
Doug changed his password at FOSDEM. So wordpress is hacked really.
Updated by pjessen over 7 years ago
Wordpress is version 4.7.1, only three weeks old. Seems a popular target: https://wordpress.org/support/topic/wordpress-4-7-1-hacked-by-ng689skw/
Updated by cboltz over 7 years ago
Micah deployed WordPress 4.7.2 on news.opensuse.org two hours ago, using a database dump from Feb 2nd.
Forcing everybody to change his/her password is probably a good idea.
BTW: lizards.opensuse.org runs an even older WordPress (4.6.1, and funnily this is a good thing because this security issue was introduced in 4.7). Nevertheless, an update to WordPress 4.7.2 is scheduled for Wednesday.
Updated by sflees@suse.de over 7 years ago
- File signature.asc signature.asc added
Someone was saying in IRC there was a exploit that allowed you to edit
an existing post with no permissions, you'll notice it kept much of the
meta from the original post so this is likely what happened.
On 02/07/2017 09:39 AM, admin@opensuse.org wrote:
[openSUSE Tracker]
Issue #16476 has been updated by cboltz.Micah deployed WordPress 4.7.2 on news.opensuse.org two hours ago, using a database dump from Feb 2nd.
Forcing everybody to change his/her password is probably a good idea.
BTW: lizards.opensuse.org runs an even older WordPress (4.6.1, and funnily this is a good thing because this security issue was introduced in 4.7). Nevertheless, an update to WordPress 4.7.2 is scheduled for Wednesday.
tickets #16476: news.opensuse.org seems hacked
https://progress.opensuse.org/issues/16476#change-38262
- Author: sflees@suse.de
- Status: New
- Priority: Normal
- Assignee: opensuse-admin-provo
- Category:
* Target version: ¶
--
Simon Lees (Simotek) http://simotek.net
Emergency Update Team keybase.io/simotek
SUSE Linux Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Updated by tampakrap over 7 years ago
- Category set to Servers hosted in Provo
- Status changed from New to Closed
I got confirmation from the helpdesk ticket that the update has been finished, and that the db has been restored to a pre-hacked version.
Updated by TBro over 7 years ago
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
Read the above blog article for detailed information on this topic.
There was a content injection issue - so some post from Douglas was changed obviously to the hacked content.
That's why his account was on this post.
Unfortunately - it might have been possible to go on further from content injection to privilege escalation - but as the updates are now installed and databases are reset to an older state - that should no longer be a problem.
To avoid such problems in the future - i have the question - is someone or some script using the REST API of our WordPress instances?
If not - we should disable the REST API to minimize vectors.
Regards,
Thorsten
Updated by cboltz about 7 years ago
For the records - in the meantime, lizards.o.o was also updated to WordPress 4.7.2.
I agree with Thorsten that minimizing vectors is a good idea - but given the WordPress security history, it's probably a good idea to switch to something that is more secure. (I'm using S9Y for my personal blog, and it's quite boring - worst case is one security update per year :-) IIRC, most of the few security issues were only exploitable by logged in backend users.)